CVE-2025-2506

Published May 22, 2025

Last updated 2 months ago

Overview

Description
When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.
Source
20be33e2-bf35-4d13-8fad-18bd2f3e3659
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
3.6
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

20be33e2-bf35-4d13-8fad-18bd2f3e3659
CWE-862
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-862

Social media

Hype score
Not currently trending

References

Sources include official advisories and independent security research.